Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Adam Shostack :donor: :rebelverified: (adamshostack@infosec.exchange)'s status on Friday, 13-Dec-2024 04:19:48 JST Adam Shostack :donor: :rebelverified:

Is there any meaningful security benefit to one time codes being more than 4-6 digits?
(For any of TOTP, email, or sms delivery.)

In conversation about 5 months ago from infosec.exchange permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 13-Dec-2024 04:19:47 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  
  @adamshostack they make people feel more secure
  
  In conversation about 5 months ago permalink
- Embed this notice
  Adam Shostack :donor: :rebelverified: (adamshostack@infosec.exchange)'s status on Friday, 13-Dec-2024 04:21:00 JST Adam Shostack :donor: :rebelverified:
  in reply to
  - Ryan Castellucci :nonbinary_flag:
  @ryanc I don't mean to be snarky, but, really? Is this a studied thing?
  
  In conversation about 5 months ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 13-Dec-2024 05:11:08 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  
  @adamshostack I'm not aware of any such study. I was being a bit flippant, honestly it's probably more about how the people making decisions about implementing them feel.
  Longer ones make issues related to rate limits and race conditions less relevant.
  My bank uses eight alphanumeric characters for logging into online banking and making transfers, but six digits for online debit card transactions.
  This doesn't seem coherent to me, but I really don't want to think too much about their backend.
  You might look for papers which cite this: https://dl.acm.org/doi/abs/10.1145/3473040
  In conversation about 5 months ago permalink
  Attachments
  1. Untitled attachment
  2. Domain not in remote thumbnail source whitelist: dl.acm.org
    
    On the Security of Smartphone Unlock PINs | ACM Transactions on Privacy and Security
    
    from AvivAdam J.
    
    In this article, we provide the first comprehensive study of user-chosen four- and six-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, ...
- Embed this notice
  Adam Shostack :donor: :rebelverified: (adamshostack@infosec.exchange)'s status on Friday, 13-Dec-2024 06:11:03 JST Adam Shostack :donor: :rebelverified:
  in reply to
  - Ryan Castellucci :nonbinary_flag:
  @ryanc Well that’ll teach me to take you seriously! 😂
  
  In conversation about 5 months ago permalink
- Embed this notice
  Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 13-Dec-2024 06:19:16 JST Ryan Castellucci :nonbinary_flag:
  in reply to
  
  @adamshostack I make a point of deadpan delivery of unserious content in order to establish a pattern that provides plausible deniability.
  
  In conversation about 5 months ago permalink
- Embed this notice
  Adam Shostack :donor: :rebelverified: (adamshostack@infosec.exchange)'s status on Friday, 13-Dec-2024 06:20:17 JST Adam Shostack :donor: :rebelverified:
  in reply to
  - Ryan Castellucci :nonbinary_flag:
  @ryanc Surely…
  
  In conversation about 5 months ago permalink

Public

Conversation

Notices

Feeds